diff options
| author | David Gibson <david@gibson.dropbear.id.au> | 2022-09-24 19:08:23 +1000 |
|---|---|---|
| committer | Stefano Brivio <sbrivio@redhat.com> | 2022-09-24 14:48:35 +0200 |
| commit | 8978f6552b8cfae28b9d842db99b01aefb465812 (patch) | |
| tree | 05ec8c3d3959f3d5e0adafbd71c0ac051e911675 /icmp.c | |
| parent | d5b80ccc72ed36367ac327748be66323c858ad5d (diff) | |
| download | passt-8978f6552b8cfae28b9d842db99b01aefb465812.tar passt-8978f6552b8cfae28b9d842db99b01aefb465812.tar.gz passt-8978f6552b8cfae28b9d842db99b01aefb465812.tar.bz2 passt-8978f6552b8cfae28b9d842db99b01aefb465812.tar.lz passt-8978f6552b8cfae28b9d842db99b01aefb465812.tar.xz passt-8978f6552b8cfae28b9d842db99b01aefb465812.tar.zst passt-8978f6552b8cfae28b9d842db99b01aefb465812.zip | |
icmp: Correct off by one errors dealing with number of echo request ids2022_09_24.8978f65
ICMP echo request and reply packets include a 16-bit 'id' value. We have
some arrays indexed by this id value. Unfortunately we size those arrays
with USHRT_MAX (65535) when they need to be sized by the total number of
id values (65536). This could lead to buffer overruns. Resize the arrays
correctly, using a new define for the purpose.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Diffstat (limited to 'icmp.c')
| -rw-r--r-- | icmp.c | 5 |
1 files changed, 3 insertions, 2 deletions
@@ -39,6 +39,7 @@ #include "icmp.h" #define ICMP_ECHO_TIMEOUT 60 /* s, timeout for ICMP socket activity */ +#define ICMP_NUM_IDS (1U << 16) /** * struct icmp_id_sock - Tracking information for single ICMP echo identifier @@ -53,10 +54,10 @@ struct icmp_id_sock { }; /* Indexed by ICMP echo identifier */ -static struct icmp_id_sock icmp_id_map [IP_VERSIONS][USHRT_MAX]; +static struct icmp_id_sock icmp_id_map[IP_VERSIONS][ICMP_NUM_IDS]; /* Bitmaps, activity monitoring needed for identifier */ -static uint8_t icmp_act [IP_VERSIONS][USHRT_MAX / 8]; +static uint8_t icmp_act[IP_VERSIONS][DIV_ROUND_UP(ICMP_NUM_IDS, 8)]; /** * icmp_sock_handler() - Handle new data from socket |